Expiring Certificates
This document will use the actual root cause analysis information to make a generic view that can be used if you run into the same or similar problem. Finally, the document will describe the situation, the problem, the analysis, and the result.
Should you have any questions, please get in touch with academy@emagiz.com.
1. Situation
The user was confronted with errors on the flow level, and a previously working connection to an external system suddenly broke down. In these instances, the user got errors indicating a certificate problem (i.e. validity check failed).
2. Problem
In this case, the problem is a user confronted with an expired certificate regarding communication with an external party. Sometimes, this is the SSL certificate (that provides the S in HTTPS), and sometimes, this is the client certificate; regardless of the type of certificate, it needs to be replaced by a certificate that is not expired.
3. Analysis
3.1 Reproduction
Given that it was an immediate problem in Production, there was not much time to reproduce the issue. So we hunted down the certificate, which you can do by asking the external party or, in case of an HTTPS connection, by opening the endpoint in the browser and clicking on the icon in front of the address, as shown below. Once you have the new certificate, it becomes a matter of updating the existing resource with the new certificate and redeploying the solution. Depending on the type of resource used, you can either overwrite the resource (i.e., P12) or you first need to create a JKS including the new certificate before replacing the resource.
3.2 Analysis
By checking the current resource(s) in your flow, you can determine whether the certificate(s) are expired by opening them with the help of external tooling such as Keystore Explorer.
4. Result
After updating the resources in the flow to reflect the new certificate(s), the connection between eMagiz and the external party was established again.